NHS suffered six data breaches every day since 2011, study finds

The NHS has suffered more than 7,000 data breaches in the last three years, a rising volume of incidents that will only be tackled when prison sentences are handed down for serious offences, a study by campaign group Big Brother Watch (BBW) has argued.

After analysing Freedom of Information (FoI) requests sent to health trusts and authorities (including Scotland and Northern Ireland), a 92 percent response rate uncovered a total of 7,255 incidents that breached the Data Protection Act (DPA) severely enough for staff to be disciplined.

This was equivalent to an average of 2,481 breaches per year, or six every day, a dramatic rise compared to the three years prior to 2011 when a similar BBW study recorded only 806 incidents.

Breaking these numbers down by cause, 103 related to data theft or loss, 236 where data was inappropriately shared by letter or email, 251 with an unauthorised third party, and 124 were caused by an issue with IT systems.

In fifty cases, data was shared on social media, on 143 occasions data was accessed for 'personal reasons', and on 115 occasions staff were found to have accessed their own records.

This resulted in 32 staff resigning during disciplinary proceedings including 1 pending court case for a DPA breach, BBA reported.

The number of breaches underlined the difficulties faced by the care.data scheme, a programme designed to share patient health information across England, which many NHS users now had concerns about, BBW said.

"The information held in medical records is of huge personal significance and for details to be wrongly disclosed, maliciously accessed or lost is completely unacceptable," said BBW's director, Emma Carr.

"With an increasing number of people having access to patients' information, the threat of data breaches will only get worse. Urgent action is therefore needed to ensure that medical records are kept safe and the worst data breaches are taken seriously."

Sanctions should also be tougher, with courts able to hand down prison sentences where necessary with serious offenders being given criminal records to avoid repeat incidents, she said.

However not all the abuse was deliberate and poor training was a root cause in some incidents.

"If the government wants to make the public's data more accessible, then this must go hand in hand with greater penalties for those who abuse that access. This should include the threat of jail time and a criminal record," said Carr.

The full report makes fascinating reading as a real-world take on data breaches, itemising every single breach that was reported as part of its research.

Incidents included a probation officer who gave the personal details of a domestic abuse victim to her abuser and was fined only £150 for the offence, and the NHS surrey computer that was bought at auction containing the records of 3,000 patients, resulting in a £200,000 ICO fine.

"Whilst fines may, at first, appear to be a sensible response, they quickly lose their impact on closer inspection," said the report in a possibly unintentional swipe at the ICO's impotent regime.

The BBW is correct to question the effectiveness of fines. The bigger sanction for private firms is simply embarrassment and loss of reputation. In many cases inside the NHS and public sector this rule is blunted by the fact that few members of the public ever find out about incidents.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.